PR27291, integer overflow in bfd_get_section_contents

Makes the code a little more elegant too.  Note that the unsigned
overflow reported here is well defined so this patch doesn't fix any
real problem.

	PR 27291
	* section.c (bfd_get_section_contents): Avoid possible overflow
	when range checking offset and count.
	(bfd_set_section_contents): Likewise.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index ebe2b5882e364da421fd020df0574324a2448fbf..41da87b814f38552b2772cc62c04645eac0a7276 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2021-02-11  Alan Modra  <amodra@gmail.com>
+
+       PR 27291
+       * section.c (bfd_get_section_contents): Avoid possible overflow
+       when range checking offset and count.
+       (bfd_set_section_contents): Likewise.
+
 2021-02-03  Nick Alcock  <nick.alcock@oracle.com>
 
        * configure.ac (SHARED_LIBADD): Remove explicit -lintl population in

diff --git a/bfd/section.c b/bfd/section.c
index 3e6ba0c09389c21b149e6fc8dff599050b4f7282..059b6fa2e572d317a5f70a2878ae01257c46c0fa 100644 (file)
--- a/bfd/section.c
+++ b/bfd/section.c
@@ -1498,8 +1498,7 @@ bfd_set_section_contents (bfd *abfd,
 
   sz = section->size;
   if ((bfd_size_type) offset > sz
-      || count > sz
-      || offset + count > sz
+      || count > sz - offset
       || count != (size_t) count)
     {
       bfd_set_error (bfd_error_bad_value);
@@ -1569,8 +1568,7 @@ bfd_get_section_contents (bfd *abfd,
   else
     sz = section->size;
   if ((bfd_size_type) offset > sz
-      || count > sz
-      || offset + count > sz
+      || count > sz - offset
       || count != (size_t) count)
     {
       bfd_set_error (bfd_error_bad_value);